(Reviving this thread to help the WG move forward on getting this
document published)
On 18 Jul 2018, at 5:41, Shumon Huque wrote:
On Wed, Jul 18, 2018 at 4:55 AM Eric Rescorla <e...@rtfm.com> wrote:
To the extent to which this is true, it's an argument that one should
be
pinning at a different layer.
(I've mentioned this in private email to some of you, but for broader
input, I'm throwing it out on the list too.)
On the topic of other layers ..
At yesterday's WG meeting, Sam Weiler suggested that the pinning
information could be conveyed via the DNS. That way you would not need
new
holes/fields in the TLS extension. Paul said it doesn't work. But
Willem
Toorop and I discussed it after the meeting, and think that it does.
In reading this thread, I agree with Shumon and others that the new RR
proposal works, and it adds pinning in the DNS layer. However, I agree
with Viktor and Niko that it is more complicated than an indicator in
the chain extension about the pinning desired by the TLS server.
As was discussed by many people at the mic line at the meeting, pinning
is both important and difficult to get correct. Picking the "right"
layer at which to pin is probably one of those architectural guesses
that we might just have to make. Given that, my preference is for the
simplest solution that actually and fully gives pinning for the TLSA
record, and at this point that would be in the extension itself.
--Paul Hoffman
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
